<html>
    <head>
        <script>
            function createXHR() {
                var xhr = new XMLHttpRequest();
                xhr.expando = "foo";
                return xhr;
            }

            function tryToUseXHR(xhr, ok) {
                function expectException(op, reason) {
                    try {
                        var result = op();
                        ok(false, "should have thrown an exception, got: " + result);
                    } catch (e) {
                        ok(/Permission denied/.test(e.toString()), reason);
                    }
                }

                expectException(function() { xhr.open(); }, "should not have access to any functions");
                expectException(function() { xhr.foo = "foo"; }, "should not be able to add expandos");
                expectException(function() { xhr.withCredentials = true; }, "should not be able to set attributes");
            }
        </script>
    </head>
    <body>
    </body>
</html>
